Presentation on theme: "CRYPTOGRAPHY Ch 4: A Model for Information Security Planning Mohammed Minhajuddin Khan."— Presentation transcript:
CRYPTOGRAPHY Ch 4: A Model for Information Security Planning Mohammed Minhajuddin Khan
Topics Information System Architecture And Design Layer Specify the information system security measures. Combination of Systems, Networks, Service Applications, and underlying Telecommunication Services - Information System. Information system’s security depends on how the underlying architecture is designed and implemented. Web Services Protection Layer Specify the information system security measures. The use of Internet and open systems open the need to secure this layer of services that interact with Web. The Eight P’s Of Security Layer Address the soft side of information security. This layer is concern with the people
INFORMATION SYSTEM ARCHITECTURE AND DESIGN LAYER This level generally operate in an open environment, So we can’t expect choke security. The information security specialist should be concerned with Create Choke point, well-known as gateway. This should be created to perform screening (Screening of Identity, content checking, & malicious signatures). This are easy to develop through the use of routers. Viruses & worms have long been the misery of information security professionals. Virus scanners are option to protect from this nemesis. Virus scanners work by checking information content for a Malicious signature. Maintaining a posture of least privilege. The idea behind the principle of least privilege is to minimize the attacker’s potential. To understand the security profile of Third-party providers. Third- party providers are usually high-profile hacker targets. Information security specialist should understand the provider security issues and to take action to protect the organization’s information. Here is a good example of why applying cryptographic methods and authentication processes is important.
Implement event monitoring, intrusion detection, and logging systems. Through these systems, law enforcement officials may also benefit in the investigation of a crime. Develop a permission-based architecture (Closed architectures). Example: Router (When creating access control lists). Extend Cryptographic methods for use at the network and system level (VPN, SSL, SET, IPsec, etc). This are the crux of this work. By using this network encryption services, it is possible to form secure tunnels through the open Internet. Securing the information system from both internal and external threats. 70% of all computer crime originates from within the pool of trusted insiders. So, the security management and corporate management should keeps a watch-full eye on both internal and external. Create System-level, Application-level, and Network-level tie-ins to the authentication and verification system. INFORMATION SYSTEM ARCHITECTURE AND DESIGN LAYER
WEB SERVICES PROTECTION LAYER The web services are browsing simple or complex information, file transfer, name and address resolution, secure funds transfer, transaction processing, and use of the web for private communications. Here the information is public, so the cryptographic methods should provide secure transactions & have to be more complex to break. Goals to accomplish in this layer: Client-side user privacy. A primary function of the web services layer in our security model is to prevent attacks. Prevention of inappropriate release of secure content by clients. Protection of the Web server from being accessed in an unauthorized way. To know the software flaw or a loophole in a website. Methods be used to secure these areas (ex: proxy services) Prevention of document corruption. Web services are all about document access and control. Use of various cryptographic techniques such as digital signatures, code signing, and integrity checking to validate the integrity of the document. The primary concerned at this layer is with attacks against the brand, infiltration of client-side systems, springboard attacks, denial-of-service attacks, and malware.
THE EIGHT P’s OF SECURITY LAYER The information security breaches are most often caused by either human error or an inconsistency in the implementation of security procedures. By developing a plan that is concerned with the 8 Ps of information security, planners are likely to gain more cooperation and acceptance of the plan. People would like to believe that they can buy security off the shelf. Persuading people from all levels to buy into the security plan is difficult. Clients need to feel secure in the online access provided and need to have easy to follow procedures for successfully executing secure transactions. Any breaches can lead to a significant attack. Therefore, the outermost layer of the security model focus on encouraging and directing people to take the correct actions with regard to security. By incorporating these 8 Ps of security into the security design, we will have a far greater chance of success.
THE EIGHT P’s OF SECURITY LAYER 1.People People need guidelines to direct their actions in the use of the information and the information system. People need to understand the consequences of their actions both technical and no-technical. People need to understand what these attacks are and how to prevent them. Caution to be taken when working on non-secure network (through PDA, NOTEBOOK, ETC). Use personal firewalls, virus scanners, and safe online habits can terminate hacker activity. How they store, use, and transmit information. The cryptographic methods layer work only if people apply the encryption to information requiring confidentiality.
THE EIGHT P’s OF SECURITY LAYER 2.Planning Security planning needs to bring all of the elements of the planning process together as a single, well- thought-out unified idea. Take into consideration the requirements of the organization, summary of the risk analysis, information on the cost benefit of a security design, and current vulnerabilities. The strategy needs to determine the actions that will be taken by the crisis-management team, users, and management in the event of an attack. To use this section of the plan to build confidence in the strategy, not to develop the implementation strategy. Finally the security plan should conclude with the policies that apply to each area of the security model. Policies should tell us what to do, when to do it, and why we are doing something.
THE EIGHT P’s OF SECURITY LAYER 3.Policy Policies are categorized, high-level description of the security controls put in organization. Legal notices regarding use/monitoring/trespass/and copy right of information or the information system, proper use of company resources, requirements fro trusted third parties, e-mail/Web/other application access and usage, etc. These policies need to be directed at the user community and should be specific and easy to follow. Policies generally define the rights of the employer, employee, user, and guest. The better defined the security policies are, the less the concern for legal liability, waste of corporate resources, or exposure of confidential information.
THE EIGHT P’s OF SECURITY LAYER 4.Procedure It provide the technical details of enacting a policy/process combination. A procedure should specify how something is implemented. Example: choke point will be created in network, Screening router, detail of constructing the access control list, and fail-safe stance enabled.
THE EIGHT P’s OF SECURITY LAYER 5.Process Defines the actions that should be taken by the user community and security professionals to enable the workability of the security plan. These process should complement the policies by instructing users, regarding the steps they need to perform to be compliant with the policy.
THE EIGHT P’s OF SECURITY LAYER 6.Product Products are the tools, hardware, and software that support the implementation and realization of the security implementation. Products need to be purchased in a legal way with specified plan and the policy and not the other way. It is important the product being used with all its pros and cons. By clearly articulating the product functionality and limitations, we can better determine if the product meets the needs of the plan
THE EIGHT P’s OF SECURITY LAYER 7.Perseverance Perseverance speaks to the drive and heart of the information security professional, the determination of management, and the spirit of the user community. Initially, a security plan may not be completely effective. Once a workable plan is accomplished quite a bit by implementing it. Information security takes a long time to “burn in” and settle. After the plan is in place, the information security analyst needs to begin monitoring and making adjustments accordingly.
THE EIGHT P’s OF SECURITY LAYER 8.Pervasiveness Information security is everywhere in the organization, not just in the computer memory or at the network gateways. Information security success is measured by the combination of everyone’s actions. By working through the eight Ps, our plan will become more acceptable to the user community. People will become more involved in security because you will have given them a role to play and goals to meet.
Question Jqf vb cqn jnrxnbc yvex ve cqn bntdavcl tqrve? Ufnb cqvb jnrxnbc yvex qrin rel afyn, vo bf cqne Ve jqvtq Yrlna? Savnoyl unbtavsn cqn afyn fo cqvb jnrxnbc yvex ve cqrc Yrlna? Who is the weakest link in the security chain? Does this weakest link have any role, if so then in which Layer? Briefly describe the role of this weakest link in that Layer?